Sophos Cloud Optix
Last week, Apple released a new version of its Mac operating system, OS X Mountain Lion. One of Mountain Lion’s new features is Safari 6, which adds new features including the ability to enable Do Not Track from the main Preferences window.
Apple also released Safari 6.0 for Lion, the previous version of Mac OS X.
According to Apple’s page detailing the security content of this update, Safari 6.0 contains fixes for a whopping 121 vulnerabilities.
Last year on Lion’s release date, Apple released Safari 5.1 for Snow Leopard and Windows to bring them up to par with Lion’s new version of Safari. On the same day, Apple also released Safari 5.0.6, a security-only update, for Mac OS X Leopard, which was then two OS versions old.
So given Apple’s history, and given that Safari 6 included such an extremely high number of critical security updates, one might expect Apple to release updates for Windows and Snow Leopard too – right?
Wrong.
Unfortunately, Apple did not release security updates for Safari for either Snow Leopard or Windows to coincide with the release of Safari 6.0.
While it may seem plausible that Apple could be waiting to release security-only updates at a later date, Apple dropped a major hint that this is unlikely, at least as far as the Windows version is concerned.
Apple now redirects www.apple.com/safari/download – the former download address from which the current Windows version could be obtained – to the main Safari page.
And on that webpage, the fine print states,
"The latest version of Safari is available in Mountain Lion. The latest version of Safari for Lion is available through Software Update."
There’s no mention of Windows or Snow Leopard.
Frustratingly, there’s no warning in either the browser itself or Apple Software Update on either platform that Safari likely won’t be updated. Users have no way of knowing that their browser has at least 121 unpatched vulnerabilities and is no longer safe to use.
This, of course, leaves Safari users on those platforms more vulnerable to attack.
It seems that many users who haven’t upgraded to Lion or Mountain Lion won’t know any better and will continue using Safari unaware of the risks.
The burden of informing those Safari users should really fall on Apple.
Last Wednesday I reached out to Apple for comment about Safari for Windows and Snow Leopard. So far I have not received a response.
I also inquired of Apple back in February whether any security updates would be released for Snow Leopard after the release of Mountain Lion. Again, Apple didn’t respond.
Unfortunately for Apple, ignoring security issues that affect a large percentage of users does not make the security issues disappear.
This is typical of Apple and I'm not entirely surprised. Though why would anyone want to use Safari on a Windows (and even OSX) machine when you have far better choices than Safari ?
Admittedly I've temporarily dumped Chrome for IE10 on my Win8 machines, but that's more for my own personal testing to see how well it performs now and when the final release of Win8 comes out and just getting to know it, it's not great and a lot like IE9, but does at least roams my Favourites, which is key for me.
It's typical of Apple to be way behind on patching. They are vulnerable to the latest Linux threats that have been patched as they keep behind the releases.
You can't run Linux apps or extensions directly in OSX without recompile/porting. What are you on about?
Last week I noticed the lack of Safari update for Windows, thankfully I use Chrome as my default browser!
Joshua -It is worse than that…if you erase/clean install SL, the 5.1 Safari update is now gone! You are stuck with 5.0.5 from the combo OS update.
Actually the snow leopard sucatalog refers to a Safari5.0.6Leopard.pkg installer. But Safari 5.0.6 is of course still not much better..
The last paragraph refers to part of the article that Sophos edited out.
Among other things, the original unedited article pointed out that over 38% of the current Mac installed base uses Snow Leopard, as compared to Lion's 46%.
That's part of what makes this such a big deal. It's not like Apple's just ceasing updates for a small, insignificant number of users. This is a huge portion of Apple customers.
I plan to publish the deleted parts of this article elsewhere, along with a related article. If you're interested, you can follow me on Twitter and I'll tweet a link when the rest is published. Just click the "Follow @theJoshMeister" button at the bottom of the article (above the comments).
Apple's silence on this issue is deafening… they're not supporting their own bundled web browser on an operating system they released less than three years ago!
I totally agree with Paul and Joshua. It is a disgrace that Apple cut off security updates to what you and I deem quite modern OSes. I agree 3 years is not old!
Microsoft gets a lot of flak but at least they support their OSes for longer. Windows XP will be supported until 2014, almost 13 years after its release. That’s probably a little too long but their standard support of 10 years from a product release I believe is outstanding. Apple should also follow this convention (or at least move up to 5 years support).
This cut off of updates is one just one reason why I choose not to be a fan of Apple products, they simply think that everyone has the disposable income to simply dump their devices every 2 to 3 years in favor of those new shiny ones. That’s an ideal world Apple live in. Not to mention the environmental consequences of everyone simply disposing of old devices. Not everyone is going to take the time to bring them to the appropriate recycling center like you or I.
If Safari for Windows is no longer going to be updated, it should also be removed from the Microsoft Browser Choice Update for European users. Having an insecure browser as a choice in that update is not a good idea.
Finally, I would like to know how many people have Safari installed given that it used to be installed by default when installing updates using Apple Software Update (when installed on Windows)? (unless you un-ticked the box to install Safari every time you performed a check for updates). Many, many people now have an insecure browser installed and that is no longer going to be patched.
Apple really need to look again at their stance towards online security and to make improvements.
I think Paul H. (below) is correct, uninstalling it is the best course of action right now (just like any software that you no longer need or want to use).
Apple cuts off their iOS devices from firmware updates too
Hi Brian,
Good point, I neglected to mention that and was thinking if I should post a follow up comment about it or not before you mentioned it!
My previous comment may sound like I hate Apple and its products but hate is too strong a word. In my opinion they do the job that was intended and they do it with style, if you like that sort of thing. For me it isn’t the reason that would make me buy such products i.e. just for the style and simplicity of them. For me, I don’t see what all of the fuss and fanfare of Apple products is about. I don’t consider them better or worse than anything else.
Many members of my family have Apple devices. One has an iPad (First generation iPad) and so will no longer be receiving iOS updates as you point out. It runs iOS 5.1.1 and this is the OS it will remain with. Another family member owns a Mac mini (from 2007) and a MacBook (from early 2008). The mini runs OS X 10.4.11 Tiger which ran out of support years ago. The MacBook runs 10.5.8 Leopard which also no longer receives updates. Both of these computers could run Windows 8 (both have 2 GB of RAM) but Apple deems them too old to run newer versions of their OS e.g. Mountain Lion or Lion won’t run on this hardware as mentioned at the following links:
http://www.apple.com/osx/how-to-upgrade/
http://en.wikipedia.org/wiki/Mac_OS_X_Lion
Snow Leopard (10.6) could probably be loaded on both, but what is the point? It too is now outdated.
Thankfully 2 other family members (yes, I know, a big family!) use an iPhone 3GS and the other uses an iPhone 4 so both will continue to receive updates (at least they can install iOS 6 when it arrives).
I am simply disappointed that perfectly capable hardware is considered very much outdated (I think the Mac mini mentioned above would be too slow for PC use as well). 5 years is about the time I begin to think something should be replaced, unless it performs an absolute critical function (in a non-business environment that consideration does not apply).
In conclusion, the MacBook and the iPad need replacing according to Apple even though they fulfil their roles perfectly for those using them. Browsing the web will need to be done with caution on both devices since they no longer receive security updates (the MacBook uses Sophos Anti-virus for Mac). Just because Apple considers a product out of date is putting its customers at unnecessary risk and I think that needs to change. Supporting a product/providing updates for at least 5 years would be great.
In today’s world when economies aren’t as prosperous as they were, people are going to keep devices for longer when they still work and I think this issue is only going to become more widespread.
My thanks to those who gave my comment above 3 thumbs up (likes).
Sorry for the long post.
Thank you.
Hi JimboC,
The MacBook can go up to OS X 10.7 “Lion”. At least you will get some increased security by upgrading it to Lion.
I’ve just uninstalled Safari and won’t be going back to it ever.
Problem solved.
This nothing new for an OS developer to do. Take winndows xp for example, when IE9 rolled out only Vista and 7 OS users could use it. So I think Apple and Microsoft have a thing or two to learn about protecting their customers. Another way to keep an up to date browser is to download one of the many third party browsers. Which are in my experience better than any stock OS browser.
If you are using Safari on Windows, you are lost!
This is absolute garbage. Most users use SL and they are just left on their own? Shouldn't their be some sort of announcement like "HEY your OS is now expired! Please purchase Lion to continue to get security updates or your hosed!"
Hi John P,
You’re right, a notification perhaps once a week that your OS needs updating would be a good idea. At least this way, Apple would prompt its customers to buy a new OS especially since OS X costs so little.
If a person’s hardware is up to date enough to upgrade to Lion I see little reason not to (if you can still buy it, I know looking around today I can’t find it available anywhere. Only Mountain Lion is available).
Thanks.
I guess they want us to 'upgrade' to WebKit nightlies..
It comes down to integration..Maybe it wasn't such a bad thing to have my mac get smashed, but I'm not looking forward to any of the lions..Snow leopard seemed much easier to use..I'm more concerned with all the sharing.. do I really need one device to directly share it with another? The commercial of the soccer mom taking her kids pics, & the kid immediately runs home to view them on his I pad is a bit much.. And if apple can't get their act together on their updates will that mean this sharing isn't just infecting one device, but all your devices ?
Apple is simply adopting the tried and tested Microsoft model of forcing users to update their OS with the added advantage that users will be forced to purchase Apple hardware to run Lion at a decent speed!:-(